I'm trying to test/config csf/lfd lockout for failed login attempts,
csf code section has like below, and, doesn't seem to detect failed imap
logins (picks/detects OK ssh logins):
I guess the rexexp doesn't match my log, but my knowledge of regexp is
below what's needed,
also, how to wrap up the if section below to make a standalone script just
to test detection logic, so I can throw log file at it, without actually
having to misconfigure email client to test?
thanks for all pointers
------------------
#dovecot
if (($config{LF_POP3D}) and ($lgfile eq $config{POP3D_LOG}) and ($line =~
/^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ dovecot(\[\d+\])?: pop3-login: (Aborted
log
$ip = $8; $acc = $7; $ip =~ s/^::ffff://; $acc =~ s/^<|>$//g;
if (&checkip($ip)) {return ("Failed POP3 login from","$ip|$acc","pop3d")}
else {return}
}
if (($config{LF_IMAPD}) and ($lgfile eq $config{IMAPD_LOG}) and ($line =~
/^(\S+|\S+\s+\d+\s+\S+) [^\s\.]+ dovecot(\[\d+\])?: imap-login: (Aborted
log
$ip = $7; $acc = $6; $ip =~ s/^::ffff://; $acc =~ s/^<|>$//g;
if (&checkip($ip)) {return ("Failed IMAP login from","$ip|$acc","imapd")}
else {return}
}
------------------
failed attempts log as;
Sep 1 13:41:55 mailhost dovecot: imap-login: Disconnected (auth failed, 1
attempts in 4 secs): user=<[email protected]>, method=PLAIN,
rip=101.168.85.xx, lip=188.188.188.4, TLS
Sep 1 13:41:59 mailhost dovecot: imap-login: Disconnected (auth failed, 1
attempts in 3 secs): user=<[email protected]>, method=PLAIN,
rip=101.168.85.xx, lip=188.188.188.4, TLS
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
